Method of enabling a server to authorize access to a service from portable devices having electronic microcircuits, e.g. devices of the smart card type

ABSTRACT

When access is requested, the method consists in causing the portable device to transmit at least an identity sequence containing at least the value of a cryptogram (C i ) which is the result of an iterative algorithm (A 2 ) being executed that is based on a non-invertible secret-key function (F2), and in causing the server to compute successive cryptograms (Q 1 , Q 2 , . . . ) on the basis of a cryptogram (Q 0 ) and by using the same algorithm (A 2 ) until a cryptogram (Q n ) is found whose value is equal to the value of the cryptogram (C i ) so as to validate access. The method is suitable in particular for use in a home banking application.

The present invention relates to a method of enabling a server toauthorize access to a service on the basis of portable devices havingelectronic microcircuits, e.g. devices of the smart card type.

In the nineteen-seventies, the advent of the concept of a card havingelectronic microcircuits, now commonly referred to as a “smart card” ora “chip card”, and incorporating in particular a microprocessor and anon-volatile memory of the EEPROM type, opened up numerous applications,in particular for use by the general public, with the appearance ofcard-operated public telephones, and then banking terminals takingadvantage of the facilities offered by the microprocessors incorporatedin such cards.

In general, such a card can be used as a mere access key for obtainingaccess to a service, whether such access be customized or otherwise, andwhether it be secure or otherwise, and/or as a means for validatinginformation transfer, e.g. between two cards, between a card and aterminal, or between two terminals, whether such information isconfidential or otherwise, and whether the transfer takes place remotelyor otherwise.

In most of the intended applications, access to a service or thetransfer of information is preceded by executing an identificationprotocol of the one-way type or of the both-way type, which protocoltakes into account at least one item of specific information that isprerecorded in the memory of the card.

The specific information taken into account in an identificationprotocol may be a confidential code or “PIN” code which is allocated tothe bearer of the card and which enables the microprocessor of the cardto authenticate said bearer before authorizing the bearer to access therequested service, as in the case of a banking transaction, for example.

The specific information taken into account in an identificationprotocol may also be a code specific to the service requested by thebearer of the card.

In which case, the code contained in the card is transmitted remotely orotherwise to a server for identification purposes. The identificationprotocol is either one-way, in which case the server authorizes accessto the requested service merely on the basis of recognizing the codetransmitted by the card, or both-way, in which case the serverauthorizes access to the requested service after various codes have beeninterchanged, which codes are computed separately in the card and in theserver, such codes taking into account a secret key and/or randomnumbers, for example.

The codes computed separately in the card and in the server may becryptograms, but each cryptogram transmitted by the card to the servermust be accompanied by synchronization information to enable the serverto authenticate the cryptogram transmitted by the card. Thesynchronization information may be a time stamp, but that requireseither the contents of a counter, or a time base in the card, which timebase must be synchronized with the time base of the server. Suchsolutions are described in particular in Documents U.S. Pat. No.4,601,011 and EP-A-0 451 056.

Such solutions suffer, in particular, from the drawback of being complexand difficult to implement.

An object of the invention is to design an identification protocol thatis simple and easy to implement, while guaranteeing a degree of securitythat is high enough to protect it from fraudulent users or “attackers”.

To this end, the invention provides a method of enabling a server toauthorize access to a service from portable devices having electronicmicrocircuits, e.g., devices of the smart card type, said method beingcharacterized in that it consists of initializing each portable deviceand the server, and, when a user requests access from a portable device,the method consists, in a synchronization first step, of:

causing the portable device to transmit at least a first identitysequence containing at least an identity number N_(c) allocated to theportable device and a cryptogram C_(i) computed by processing circuitsof the portable device, this cryptogram C_(i) being the result of aniterative algorithm A2 being executed that is based on a non-invertiblesecret-key function F2, and being such that its value is computed atleast on the basis of the value of the preceding cryptogram C_(i−1);

transmitting the first identity sequence to the server via a terminal;

causing processing circuits of the server to use the same iterativealgorithm A2 as the algorithm used by the portable devices to computesuccessive cryptograms Q₁, Q₂, . . . on the basis of a cryptogram Q₀stored in the server and whose value is equal to the value of thecryptogram C_(i−n) which was contained in the most recent identitysequence transmitted by the portable device to the server, until acryptogram Q_(n) is found whose value is equal to the value of thecryptogram C_(i) contained in the first identity sequence; and

giving a new value to the cryptogram Q₀ stored in the server, which newvalue is equal to the value of the cryptogram C_(i);

and in that the method consists, in an authentication second step, ofcausing the access request to be validated by the server only if atleast the synchronization first step has been satisfied.

To reinforce the security of the identification protocol, and accordingto another characterisic of the invention, in the authentication secondstep and once the synchronization step has been satisfied, the methodconsists of:

causing the portable device to transmit a second identity sequencecontaining at least the identity number N_(c) allocated to the portabledevice and the cryptogram C_(i+1) computed by the portable device on thebasis of the cryptogram C_(i) contained in the first identity sequenceand stored in the portable device;

transmitting the second identity sequence to the server via theterminal;

causing the server to execute the algorithm A₂ so as to compute thecryptogram Q₁ on the basis of the value of the cryptogram Q₀ stored inthe server;

causing the access request to be validated by the server only if thevalues of the two cryptograms C_(i+1) and Q₁ are equal; and

giving a new value to the cryptogram Q₀ stored in the server, which newvalue is equal to the value of the cryptogram C_(i+1).

The fact that two identity sequences must be transmitted successively bythe portable device before the server authorizes access makes itpossible to reinforce its security against attackers.

In general, during the synchronization step and during theauthentication step, the methods also consists of:

causing each portable device to compute and store a new cryptogramC_(i+1) when it transmits an identity sequence containing the previouslycomputed cryptogram C_(i); and

causing the algorithms A2 for computing the cryptograms of the portabledevices and of the server to take into account confidential data G_(c)allocated to the portable device by an authorized person.

Thus, on each request for access to the server from a portable device,the server manages an identification protocol which comprises asynchronization step and an authentication step.

The identification protocol can run only if each portable device and theserver have been initialized, i.e. only if they contain the informationnecessary to be able to execute the identification protocol.

In general, initializing each portable device consists of storing atleast the following items of information in a non-volatile memory of theEEPROM type in the portable device:

an identity number N_(c) allocated to the portable device;

confidential data G_(c) allocated to the portable device; and

the value of an initial cryptogram C₀ to enable the portable device tobe able then to compute the successive cryptograms C₁, C₂, . . .

During initialization of the portable device, the method may consist ofdiversifying or varying the confidential data G_(c) allocated to eachportable device on the basis of base data, and on the basis of analgorithm A1 corresponding to a function F1 having a secret key K_(s),the base data being, for example, the identity number N_(c) allocated toeach portable device.

The portable devices are initialized by an authorized person prior tobeing delivered to users. As a function of the intended applications, itis naturally possible to store other information in each portabledevice, but the information concerning the identity number N_(c), theconfidential data G_(c), and the value of the initial cryptogram C₀ arenecessary to implement the identification protocol in a preferredimplementation, regardless of the intended application.

In general, initializing the server consists of causing the server tostore the specific data allocated to each portable device so as to beable to implement the synchronization step and the authentication stepresulting in or preventing access to the service requested by the user.In practice, the following are stored in a file of the server and foreach portable device: the identity number N_(c); the confidential dataG_(c) or the secret key K_(s) enabling the server to compute saidconfidential data each time the portable device is used; and acryptogram Q₀ whose value is equal to the value of the initialcryptogram C₀ so as to be able to compute the successive cryptograms Q₁,Q₂, . . . on the same basis as the basis used by the portable devicesfor computing the successive cryptograms C₁, C₂, . . .

Initialization of the server is also performed by an authorized personwho is not necessarily the same person as the person who initializes theportable devices. Depending on the intended applications, initializationof the server is either performed entirely prior to delivering theportable devices to users, or else it is completed the first time accessto the server is requested, with users already being in possession ofthe portable devices.

These initialization operations for initializing the portable devicesand the server are explained in detail below in examples of applicationsof the method.

An important advantage of the invention is that the method can beimplemented in numerous and varied applications including home banking,remote payment of tolls, and motor vehicle alarms, where access to aservice from a portable device is authorized or not authorized as afunction of the result of execution of an identification protocol underthe control of a server which manages the requested service and which isconnected to a terminal that provides the interface between the portabledevice and the server.

Another advantage of the invention is that the method can be implementedby simple means, in particular as regards the portable devices whichsubstantially reproduce the known characteristics of smart cards, and inparticular of cards equipped with voice or radio-frequency outputinterfaces for transmitting the identity sequences to the server.

Other characteristics, advantages, and details of the invention areexplained below with reference to the three above-mentioned applicationsto emphasize the diversity of the applications for which the inventionmay be advantageous.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings:

FIG. 1 shows the process of steps in a synchronization first step.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In general, the method of the invention involves at least the following:

an algorithm A1 based on a secret-key function F1 for computingconfidential data G_(c) such that:

G _(c) =F1(K _(s) ,N _(c))

where K_(s) is a secret key and N_(c) is the base data allocated to eachportable device; and

an iterative algorithm A2 based on a non-invertible secret-key functionF2 for computing successive cryptograms C₁, C₂, . . . such that:

C ₁ =F2(G _(c) ,C ₀)

C _(i+1) =F2(G _(c) ,C _(i))

To implement the method of the invention, each portable-device, referredto below as a “card”, includes, in known manner, at least the following:a non-volatile memory of the EEPROM type; processing circuits such as aprocessor; and an input/output interface. The server includesinformation storage media and associated processing circuits. Thealgorithm A2 which is executed by the cards is advantageouslyhard-wired, whereas the algorithms A1 and A2 which are executed by theserver are stored in the form of software.

In general, and regardless of the intended application, the cards mustbe initialized before they are distributed to the users.

Such initialization operations are performed by an authorized personreferred to below as a “distributor”, and they consist of allocating toeach card at least the following:

an identity number N_(c);

confidential data G_(c); and

the value of a cryptogram C₀.

Each identity number N_(c) is in the form of alphanumeric data, and thevalue of the initial cryptogram C₀ is a function of the intendedapplication.

The confidential data G_(c) allocated to each card may be the result ofan initial computation resulting from the above-mentioned algorithm A1being executed, and this is the case for the applications describedbelow in which the confidential data G_(c) is diversified or varied bythe distributor on the basis of base data and of the algorithm A1 havinga secret key K_(s) allocated to a batch of cards, the base data being,for example, the identity number N_(c) allocated to each card. Thus, theconfidential data G_(c) allocated to each card is such that:

G _(c) =F1(K _(s) ,N _(c))

The initialization data which is different for each card is stored bythe distributor in the respective memories of the cards.

In parallel, the distributor must initialize the serer, this consistingof giving the server the means to be able to identify each card by itsidentity number G_(c), to know the value of the confidential data G_(c)or the elements that enable it to compute this data, and to know thevalue of the initial cryptogram C₀.

For this purpose, the distributor opens a file in the memory of theserver in which, for each initialized card, the distributor stores theidentity number N_(c) while associating it firstly with the value of theconfidential data G_(c) or the elements enabling it to compute saidconfidential data, and secondly with a cryptogram Q₀ whose value isequal to the value of the initial cryptogram C₀.

In a first application to home banking, the distributor initializes eachcard by storing in its memory an identity number N_(c), confidentialdata G_(c), and the value of an initial cryptogram C₀, this informationbeing different from one card to another. In this first application, thevalue of the cryptogram C₀ is arbitrary and, for example, it may beequal to zero.

Once these items of information have been stored in the card, thedistributor reads the value of the cryptogram C₀, thereby automaticallycausing the algorithm A2 to be executed so as to compute the cryptogramC₁ whose value is a function of the confidential data G_(c) and of thevalue of the preceding cryptogram C₀, and the value of the cryptogram C₁is stored in the card in place of the value of the cryptogram C₀.

During the operation of initializing the server, for each card of abatch of cards and in a file of the server, the distributor stores theidentity number N_(c), the secret key K_(s) allocated to the batch ofcards to make it possible for the value of the confidential data G_(c)to be subsequently computed, and a cryptogram Q₀ whose value is equal tothe value of the initial cryptogram C₀.

In this first application, each card may advantageously be equipped witha voice output interface and with an input/output interface havingcontacts.

The user can thus access the server from a telephone set connected tothe server via the telephone network. Once the link has been set up withthe server, the identification protocol for identifying the user card isengaged by the server to accept or refuse the requested access, theprotocol involving a first step of synchronization and a second step ofauthentication.

FIG. 1 step 100 illustrates the synchronization first step, includingthe step in which the server requests the user to cause the card totransmit at least one first identity sequence, containing the identitynumber N_(c) and the value of the cryptogram C₁, or more generally ofthe cryptogram C_(i), that are stored in the card.

This first identity sequence is transmitted in the form of a voicesequence, which is transmitted to the server via the microphone of thetelephone handset. In general, this transmission is caused by depressinga button provided on the card and, following this transmission, the cardautomatically executes the algorithm A2 so as to compute a newcryptogram C_(i+1) whose value is stored in place of the cryptogramC_(i).

After receiving the first identity sequence step 200, the serversearches in its file for an identity number Nc corresponding to theidentity number that has just been transmitted by the card, step 300. Ifthis search is unsuccessful, the identification protocol is stopped,step 400, and the server does not validate the requested access.Otherwise, the synchronization first step continues and the server takesthe values of the secret key Ks and of the initial cryptogram Q₀ thatare associated with the card identity number Nc that the server hasfound in its file.

First, the server computes the value of the confidential data Gc, step500, of the card on the basis of the secret key Ks and of the identitynumber Nc of the card. For this purpose, the server executes thealgorithm A1 such that:

Gc=F1(Ks, Nc)

Second, the server executes the algorithm A2 so as to compute a firstcryptogram Q₁ on the basis of the confidential data Gc and of the valueof the cryptogram Q₀, such that:

Q ₁ =F2(Gc, Q ₀)

then a second cryptogram such that

Q ₂ =F2(Gc, Q ₁)

step 600 is repeated until a cryptogram Q_(n) is found whose value isequal to the value of the cryptogram C_(i), step 700, contained in thefirst identity sequence transmitted by the card.

In step 800, if these values are not equal after a predefined number ofiterations, the synchronization first step goes to step 400, theidentification protocol is stopped and the server does not validate therequested access. Otherwise, in step 900, the cryptogram Q₀ associatedwith the identity number Nc of the card in the file of the server isgiven a new value which is equal to the value of the cryptogram C_(i)transmitted by the card, and the synchronization first step isconsidered to be satisfied.

In an authentication second step, the server either accepts or refusesthe access requested by the user. In practice, this authenticationsecond step can be considered to be satisfied if at least thesynchronization first step has been satisfied.

However, to improve the security of an identification protocol in a homebanking application, the authentication second step consists of causingthe card to transmit a second identity sequence again containing theidentity number N_(c) of the card together with the value of thecryptogram C_(i+1) which has been computed automatically by the cardfollowing transmission of the first identity sequence. The secondidentity sequence is also transmitted in voice form and is transmittedto the server via the microphone of the telephone handset. On reception,the server verifies that the identity number N_(c) transmitted by thecard is identical to the identity number that was contained in the firstidentity sequence, and it executes the algorithm A₂ again so as tocompute the cryptogram Q₁ on the basis of the confidential data G_(c) ofthe card, that the server has already computed after receiving the firstsequence, and on the basis of the value of the cryptogram Q₁ must beequal to the value of the cryptogram C_(i+1) contained in the secondidentity sequence transmitted by the card.

If these values are not equal, the server does not validate the accessrequest by the user. Otherwise, the server gives a new value to thecryptogram Q₀ associated with the identity number N_(c) of the card,which new value is equal to the value of the cryptogram C_(i+1)transmitted by the card, and the server validates the access request bythe user.

Security is reinforced as a result of providing two identity sequences.An attacker might just, by chance, dial a first identity sequence with afirst cryptogram whose value is equal to the value of a cryptogram Q_(k)computed by the server after receiving the first identity sequence, butit is statistically almost impossible for such a person to be able todial immediately afterwards a second identity sequence with a secondcryptogram whose value is equal to the cryptogram Q_(k+1) computed bythe server after receiving the second identity sequence. In other words,it is impossible for an attacker to be able to transmit two successivecryptograms successfully without being in possession of the card.

In such an application to home banking, access is personal. Once theidentification protocol has been satisfied, the user's confidential codeor “PIN” code must be transmitted for the user to be authenticated bythe server.

In a second application to remote payment of tolls, the distributor alsoinitializes the server and a batch of cards prior to distributing thecards to the users.

During initialization of each card in the batch, the distributor storesin each card an identity number N_(c), confidential data G_(c), and thevalue of the initial cryptogram C₀. In this second application, thevalue of the cryptogram C₀ is advantageously diversified or varied onthe basis of base data, and on the basis of the algorithm A1 having asecret key K_(m) (different from K_(s)), this base data also being theidentity number N_(c) allocated to the card.

However, the server is initialized only partially by the distributorbefore the cards are distributed to the users. This partialinitialization of the server consists of storing in a file of the serverthe identity numbers allocated to the batch of cards, and the secret keyK_(s) associated with the batch so as to enable the server to be ablethen to compute the value of the confidential data G_(c) of each card.In other words, before the card is used for the first time, the serverdoes not store any value for an initial cryptogram Q₀.

The initialization of the server is completed when the user requestsaccess to the server for the first time via a toll terminal. In whichcase, as the motor vehicle goes past, the toll terminal causes the cardto transmit a first identity sequence containing at least the identitynumber N_(c) of the card and the value of the cryptogram C₀, as storedin the card. For this second application, each card is advantageouslyequipped with a radio-frequency output interface.

The first sequence is transmitted to the server, and the server searchesto determine whether the identity number N_(c) corresponding to thenumber that has just been transmitted by the card does indeed belong tothe batch of cards. If the search is unsuccessful, the server detectsand records that a motor vehicle has gone through a toll stationillegally. Otherwise, the server records in a file the identity numberN_(c) of the card and associates it with a cryptogram Q₀ whose value isequal to the cryptogram C₀ o transmitted by the card.

Then, the terminal causes a second identity sequence to be transmitted,which sequence contains again the identity number N_(c) of the card andthe cryptogram C₁ which has been computed automatically by the cardfollowing transmission of the first identity sequence. After the secondidentity sequence has been transmitted, the server searches in its filefor the identity number N_(c) corresponding to the number that it hasjust received from the card, and it computes firstly the value of theconfidential data G_(c) of the card by executing the algorithm A1 whichtakes into account the identity number N_(c) of the card and the valueof the secret key K_(s) allocated to the batch of cards.

Then, on the basis of the cryptogram Q₀ that it has associated with theidentity number N_(c) of the card, and on the basis of the confidentialdata G_(c), the server computes the cryptogram Q₁ by executing thealgorithm A2, and it verifies that the value of said cryptogram isindeed equal to the value of the cryptogram C₁ contained in the secondidentity sequence. If these values are equal, the motor vehicle goesthrough the toll station legally, and the server gives a new value tothe cryptogram Q₀ associated with the identity number N_(c) of the card,which new value is equal to the value of the cryptogram C₁ transmittedby the card.

In this remote toll-paying application, initialization of the server iscompleted after the server has received two consecutive identitysequences transmitted by the card when the motor vehicle drives past forthe first time. Advantageously, when the vehicle passes through onfollowing occasions, the card transmits a single identity sequence only,and the identification protocol is limited to the synchronization firststep that is described above in the case of a home banking application,and that suffices to authenticate the card.

In this remote toll-payment application, the cards are not personal.

In a third application, the method may be used in an alarm systemdesigned for a motor vehicle. As in the preceding applications, eachcard must be initialized, as must the server which is constituted inthis example by an alarm system specific to each motor vehicle.

The cards are initialized by the distributor, it being possible for oneor more cards to be allocated to the same user. Each card is theninitialized by storing in its memory an identity number N_(c),confidential data G_(c), and the value of an initial cryptogram C₀which, in this particular application, is equal to the confidential dataG_(c).

Preferably, the cards are then locked by the distributor to prevent themfrom being used in the event they are stolen, for example.

At this stage, the alarm systems of the motor vehicles are not yetinitialized. When the user takes possession of the motor vehicle, thedistributor initializes the alarm system of the vehicle. This operationconsists of unlocking the cards, in connecting one of the cards to thealarm system, and in causing said card to transmit a first identitysequence containing at least the identity number N_(c) and the value ofthe initial cryptogram C₀ which is equal to the value of theconfidential data G_(c). In a non-volatile memory of the EEPROM type,the alarm system stores the identity number N_(c), a cryptogram Q₀ whosevalue is equal to the value of the initial cryptogram C₀ transmitted bythe card, and confidential data G_(c) having a value equal to the valueof the cryptogram Q₀.

The distributor then causes the card to transmit a second identitysequence again containing the identity number N_(c) of the card plus thecryptogram C₁ as computed automatically following transmission of thefirst identity sequence. After the second sequence has been transmitted,the alarm system verifies that the identity number N_(c) does indeedcorrespond to the number that it has stored, and it executes thealgorithm A2 for computing the value of the cryptogram Q₁ on the basisof the value of the cryptogram Q₀, and on the basis of the confidentialdata G_(c) without having to compute said confidential data as is thecase in the two preceding applications. If the values of the cryptogramsQ₁ and C₁ are equal, the cryptogram Q₀ takes a new value which is equalto the value of the cryptogram C₁, and the initialization of the alarmsystem is finished for this card.

The card is then delivered to the user together with the keys of thevehicle, it being possible for the user to receive a plurality of cardsbut in a limited number (two or three for example) which are initializedfor the alarm system of the same vehicle.

In this application, each card is more generally in the form of a smallbox which is equipped at least with a radio-frequency output interface.

Under these conditions, when the user comes close to the vehicle, theuser presses on a button provided on the box to cause an identitysequence to be transmitted, which sequence contains at least theidentity number N_(c) and the value of the cryptogram C_(i) which arestored in the box. After transmission, the alarm system verifies thatthe identity number N_(c) is indeed equal to the number that is storedin its memory, and it executes a plurality of times the algorithm A2 forcomputing the successive cryptograms Q₁, Q₂, . . . , until a cryptogramQ_(n) is found whose value is equal to the value of the cryptogram C_(i)contained in the identity sequence transmitted by the box, after apredefined number of iterations.

If this synchronization first step is satisfied, the alarm system givesa new value to the cryptogram Q₀ that is equal to the value of thecryptogram C_(i), and it unlocks the doors of the motor vehicleautomatically. Otherwise, the user is then presumed to be an attackermaking a fraudulent attempt to force open the doors of the motorvehicle, and an alarm may be triggered automatically.

In this application, the synchronization first step suffices forauthentication to be performed. It should also be noted that, in thisapplication, the cards are not personal.

In the above-considered applications, the identification protocol is ofthe one-way type because only the server requests the card tocommunicate identity sequences to it to enable it to authenticate thecard.

However, in the context of the invention, it is also possible toenvisage an identification protocol of the both-way type to enablemutual authentication to be performed between a card and a server.

In which case, during the synchronization step, the card and the serverinterchange the values of the cryptograms C_(i) (card) and Q₀ (server)so that, on the basis of the values of these cryptograms C_(i) and Q₀,the cryptogram C_(i+1) can then, be computed by the card and so that thecryptogram Q₁ can then be computed by the server. The server informs thecard of the value of the cryptogram Q₁ so as to enable said card toauthenticate the server by comparing the values of the cryptograms Q₁and C_(i+1). If these values are not equal, access to the card isrefused. If they are equal, the card computes the value of thecryptogram C_(i+2) and transmits it to the server to enable the serverto authenticate the card by is comparing the value of this cryptogramC_(i+2) with the value of the cryptogram Q₂ computed by the server. Ifthese values are equal, access to the server is validated. Otherwiseaccess is refused.

Finally, in other applications of the personal radio pager type, atransmitter (call server) can send a message to a plurality of portablereceivers. However, it may be desirable to encode the transmittedmessage so that only the receiver to which the message is addressed candecode it.

In this application, the value of the cryptogram C_(i) (at thetransmitter) can be initialized on the basis of any value and, to send amessage, the server computes in particular the successive values of thecryptograms C_(i+1) and C_(i+2), and it then encodes the message on thebasis of the value of the cryptogram C_(i+2).

Then the server sends an identity sequence containing the identitynumber N_(c) of the receiver that is to receive the message, the valuesof the cryptograms C_(i), C_(i+1), and the encoded message. The receiverN_(c) which receives the identity sequence computes the value of thecryptogram Q₁ on the basis of the value of a cryptogram Q₀ which has thevalue of the cryptogram C_(i) transmitted by the transmitter. If thevalue of the cryptogram Q₁ is equal to the value of the cryptogramC_(i+1), then the receiver computes the value of the cryptogram Q₂ whichis therefore equal to the value of the cryptogram C_(i+2) and enablesthe receiver N_(c) to decode the message.

I claim:
 1. A method of enabling a server to authorize access to aservice from portable devices having electronic microcircuitscomprising: initializing each portable device and a server; when a userrequests access from a portable device, in a synchronization first step,causing the portable device to transmit at least a first identitysequence containing at least an identity number (N_(c)) allocated to theportable device and a cryptogram (C_(i)) computed by processing circuitsof the portable device; transmitting the first identity sequence to theserver via a terminal; causing processing circuits of the server to usean iterative algorithm (A2) to compute successive cryptograms (Q₁, Q₂, .. . ) based on a cryptogram (Q₀) stored in the server and whose value isequal to a value of a cryptogram (C_(i−n)) contained in a most recentidentity sequence transmitted by the portable device to the server,until a cryptogram (Q_(m)) is found whose value is equal to the value ofthe cryptogram (C_(i)) contained in the first identity sequence; givinga new value to the cryptogram (Q₀) stored in the server, which new valueis equal to the value of the cryptogram (C_(i)) contained in the firstidentity sequence; in an authentication second step, causing the accessrequest to be validated by the server only if at least thesynchronization first step has been satisfied; in the authenticationsecond step and once the synchronization step has been satisfied,causing the portable device to transmit a second identity sequencecontaining at least the identity number (N_(c)) of the portable deviceand a new cryptogram (C_(i+1)) computed by the portable device on thebasis of the value of the cryptogram (C_(i)) contained in the firstidentity sequence and stored in the portable device; transmitting thesecond identity sequence to the server via the terminal; causing theserver to execute the algorithm (A2) so as to compute the cryptogram(Q₁) on the basis of the value of the cryptogram (Q₀) stored in theserver; causing the access request to be validated by the server only ifthe values of the cryptogram computed by the portable device (C_(i+1))and the cryptogram computed by the algorithm (Q₁) are equal; and givinga new value to the cryptogram (Q₀) stored in the server, which new valueis equal to the value of the cryptogram computed by the portable device(C_(i+1)).
 2. The method according to claim 1, further comprising:causing each portable device to compute and store a new cryptogram(C_(i+1)) when the portable device transmits an identity sequencecontaining the previously computed cryptogram (Ci).
 3. The methodaccording to claim 2, further comprising: causing the iterativealgorithm (A2) for computing the cryptograms by the portable devices andby the server to take into account confidential data (G_(c)) allocatedto the portable device by an authorized person.
 4. The method accordingto claim 3, wherein each portable device is initialized by an authorizedperson prior to delivering the portable device to a user and wherein theinitialization operation causes at least the following items ofinformation to be stored in the portable device: an identity number(N_(c)) allocated to the portable device; confidential data (G_(c))allocated to the portable device; and the value of an initial cryptogram(C₀) to enable the processing circuits of the portable device to be ablethen to compute the successive cryptograms (C₁, C₂, . . . ).
 5. Themethod according to claim 4, further comprising: diversifying theconfidential data (G_(c)) allocated to each portable device on the basisof base data, and on the basis of an algorithm (A1) corresponding to afunction (F1) having a secret key (K_(s)) the base data being theidentity number (N_(c)) allocated to each portable device.
 6. The methodaccording to claim 5, wherein the server is initialized by an authorizedperson prior to delivering a portable device to a user, and theinitialization operation causes the server to store at least thefollowing items of information for each portable device: the identitynumber (N_(c)) allocated to the portable device; the secret key (K_(s))enabling the server to be able then to compute the value of theconfidential data (G_(c)) that has been allocated to the portabledevice; and a cryptogram (Q₀) whose value is equal to the value of theinitial cryptogram (C₀), the value of said initial cryptogram beingarbitrary.
 7. The method according to claim 5, wherein the server ispartially initialized prior to delivering the portable device to theuser, the partial initialization operation comprises: causing anauthorized person to store, in the server prior to delivering a batch ofportable devices to users: at least the identity numbers (N_(c))allocated to the portable devices and the secret key (K_(s)) associatedwith the batch of portable devices to enable the server then to computethe value of the confidential data (G_(c)) that has been allocated toeach portable device; and in that the server initialization operation iscompleted when the user requests access to the server for the first timefrom a portable device, a completion of the initialization comprises:causing the portable device to transmit a first identity sequencecontaining at least the identity number (N_(c)) allocated to theportable device and the initial cryptogram (C₀) stored in the portabledevice; transmitting the first identity sequence to the server via aterminal; verifying that the identity number (N_(c)) corresponds to anumber allocated to the batch of portable devices; associating, in theserver, this received identity number with a cryptogram (Q₀) whose valueis equal to the value of the initial cryptogram (C₀); causing theportable device to transmit a second identity sequence containing atleast the identity number (N_(c)) allocated to the portable device andsuccessive cryptogram (C₁) stored in the portable device; transmittingthe second identity sequence to the server via the terminal; causing theserver to execute the algorithm (A1) so as to compute the value of theconfidential data (G_(c)) allocated to the portable device; causing theserver to execute the iterative algorithm (A2) so as to compute thevalue of the cryptogram (Q₁) computed on the basis of the value of thecryptogram (Q₀) associated with the identity number (N_(c)) of theportable device, and on the basis of the confidential data (G_(c));verifying that the value of the cryptogram (Q₁) computed by the serveris equal to the value of the cryptogram (C₁) transmitted by the portabledevice; giving a new value to the cryptogram (Q₀) associated with theidentity number (N_(c)) stored in the server, which new value is equalto the value of the cryptogram (C₁) stored in the portable device so asto finish initializing the server; and causing the server to validatethe access request only if at least the server initialization operationhas been successfully finished.
 8. The method according to claim 7,further comprising: diversifying the value of the initial cryptogram(C₀) on the basis of base data, and on the basis of the algorithm (A1)having a second secret key (K_(m)) different from the secret key(K_(s)), the base data being the identity number (N_(c)) allocated tothe portable device.
 9. The method according to claim 4, furthercomprising: during the initialization of the portable device, giving theinitial cryptogram (C₀) the value of the confidential data (G_(c))allocated to the portable device.
 10. The method according to claim 9,wherein the server is initialized by an authorized person prior todelivering a portable device to a user, the initialization operationfurther comprises: causing the portable device to transmit an identitysequence containing at least the identity number (N_(c)) allocated tothe portable device, and the initial cryptogram (C₀); transmitting thisinitialization sequence to the server via a terminal; storing in theserver the identity number (N_(c)) allocated to the portable device;associating the identity number (N_(c)) with a cryptogram (Q₀) whosevalue is equal to the value of the initial cryptogram (C₀) and withconfidential data (G_(c)) whose value is equal to the value of theinitial cryptogram (C₀); causing the portable device to transmit asecond identity sequence containing at least the identity number (N_(c))allocated to the portable device and the cryptogram (C₁) stored in theportable device; transmitting the second identity sequence to the servervia the terminal; causing the server to execute the algorithm (A2) so asto compute the value of the cryptogram (Q₁) computed by the server onthe basis of the value of the initial cryptogram (Q₀) associated withthe identity number (N_(c)) of the portable device and on the basis ofthe confidential data (G_(c)); verifying that the value of thecryptogram (Q₁) computed by the server is indeed equal to the value ofthe cryptogram (C₁) transmitted by the portable device; giving a newvalue to the cryptogram (Q₀) associated with the identity number storedin the server, which new value is equal to the value of the cryptogram(C₁) transmitted by the portable device so as to finish initializing theserver; and causing the server to validate the access request only if atleast the server initialization operation has been successfullyfinished.
 11. The method according to claim 1, wherein the cryptogram(C_(i)) is computed by an iterative algorithm (A2) being executed thatis based is on a non-invertible secret-key function (F2), and being suchthat its value is computed at least on the basis of the value of thepreceding cryptogram (C_(i−1)).